This replaces the use of the logger in the IPFilteringN2NAuthenticator with the
AuditTrail, so that the connection granted or denied messages will now be seen
with the rest of the audit output.
Closeselastic/elasticsearch#101
Original commit: elastic/x-pack-elasticsearch@10218a45a9
- SSLService needs to be lazy loaded (only loaded when required). Guice provider doesn't seem to work as all singleton bindings are forced to be loaded eagerly. For this reason, a new `SSLServiceProvider` is introduced and is injected wherever the SSLService might be needed (SSLService is never injected directly)
- `IPFilteringN2NAuthenticator` is now always injected and used. enabling/disabling the filtering is handled within the `IPFilteringN2NAuthenticator` and the `SecuredMessageChannelHandler` on the transport is always set. Although we add another handler to netty's event chain (even while having ip filtering disabled), the overhead of this handler is negligible and this will also enabled enabling/disabling filtering at runtime (if we choose to support it) via API later on.
Original commit: elastic/x-pack-elasticsearch@cd44ecd6ac
tests.timezone and tests.locale are values that gets randomized all the time (even without configuring them). They don't get printed yet out with shield failures as this was only recently added to es core, but it makes sense to get ready and allow to configure them for better test repeatability.
Also removed support for es.node.mode and es.node.local as we always use network since we test with unicast discovery only.
Original commit: elastic/x-pack-elasticsearch@d03fa0c162
Today it is possible to configure 3 realms in shield - `esusers`, `ldap` and `active_directory`. These realms are created once based on the configuration. There are several problems with this approach:
- Taking `ldap` as an example, it is currently not possible to have multiple `ldap` realms configured (where one serving as a fallback for the other). While the `ldap` realm itself enables defining multiple ldap URLs, it has the limitation that the fallback LDAP must have the exact same configuration as the primary LDAP (+ there's the limitation that all URLs must either us SSL or not... there cannot be a mix of SSL URL and a normal URL)
- The realms are created and bound internally by guice. This will limit the configurability at runtime of the realms which we might want to introduce in shield 2.0.
This commit changes the way realms are managed & configured. Instead of having guice bind the realms themselves. A new realm factory construct will be introduced. The realm factory will represent a realm type and guice will bind these factories. At load time, we'll read the configuration and based on the types of the configured realms, the relevant factories will create the realms based on the settings. This means that potentially we can expose the realms as a dynamic configuration and rebuild the realm chain at runtime.
A nice side effect of this approach is that the multiple URLs feature that is currently supported by both `ldap` and `active_directory` can be dropped. Instead, the users will just need to configure multiple `ldap`/`active_directory` realms.
Closes: elastic/elasticsearch#370
Original commit: elastic/x-pack-elasticsearch@3232f153bb
Every test class was previously running against its own SUITE cluster composed of a single node due to misconfiguration.
Also there were some repetitions and bugs in the settings: first of all unicast wasn't properly configured, also the plugin wasn't registered properly in the transport client, thus the "shield.user" settings wasn't properly converted into the basic auth header. For the very same reason the settings used for authc wasn't randomized for transport client.
Extracted out all the needed configuration to the `ShieldSettingsSource` class, that takes care of the unicast configuration, loading of the plugin and all of the configuration files and parameters.
Used the global cluster whenever possible, that has the following characteristics:
- unicast discovery
- ssl configured and enabled at the transport level
- ssl configured but disabled at the http level (REST tests use the same cluster and don't support SSL at this time)
- single user configured with an allow_all role
- auditing enabled or not is randomized
- the setting used to do basic auth is randomized between reuest.headers.Authorization and our own shield.user for both node and transport client
Test classes that need to override defaults settings can do so by declaring scope=SUITE and overriding the nodeSettings method. Also roles, users and users_roles have specialized methods to be overridden that just return the content of the whole file if it differs from the default. Note that given that ssl is properly configured although disabled for http, tests that need it on can just enable it without any additional configuration.
Closeselastic/elasticsearch#31
Original commit: elastic/x-pack-elasticsearch@fa6f162497
Although it is nice to be alerted through assert as soon as we upgrade the es core dependency, this can be done only in test code, in production code it prevents us from supporting any future version once the code gets released.
Replaced the assert with a TODO.
Original commit: elastic/x-pack-elasticsearch@b0d59c2fd3
@NotThreadSafe is not a valid standard java annotation. Removed unused method and empty @param javadoc annotation
Original commit: elastic/x-pack-elasticsearch@3583bcfa66
The goal of TESTING.asciidoc is not to repeat what's already in the elasticsearch core test cheatsheet, but only add what is different in shield.
Original commit: elastic/x-pack-elasticsearch@51ad3894d2
This bug was caused by the fact that we serialize the user and don't re-authenticate on each node anymore. With auto create index, we ended up overriding the user in the context with system due to wrong checks (we would check the headers instead of the context). This bug was revealed by our REST tests.
Also refactored the method for readability and removed check for token.
Original commit: elastic/x-pack-elasticsearch@2aa260b46c
This will allow in the future to make this a dynamic setting,
which can also be shared accress the cluster instead of having
to use (and distribute) files.
Another change is, that the order of `deny` and `allow` now does not matter
anymore. Allow will win over deny.
The last change is that `all` now is `_all` in order to align with the
rest of Elasticsearch
Documentation has been updated accordingly.
Original commit: elastic/x-pack-elasticsearch@daa0b18343
Nuked the security filter and separated the different filter to their own constructs:
- Added a shield action package & module that is responsible for binding the shield action filter (and later will hold all shield actions)
- Added a shield rest package & module that is responsible for binding the shield rest filter and registering all the rest actions
- Moved the client & server transport filters to the transport package
General cleanup:
- Code formatting
- moved `ShieldPlugin` to the top level package `org.elasticsearch.shield`
Original commit: elastic/x-pack-elasticsearch@d652041860
Now, on first successful authentication, we put the user in the message header so it'll be send with any subsequent cluster internal requests (e.g. shard level search) to avoid re-authentication on every node in the cluster. We can do that now, as with multi-binding transport we can guarantee isolation of the internal cluster from client communication. While it's generally safe for transmission, the user header that is sent between the nodes is still signed using the `system_key` as yet another security layer.
As part of this change, also added/changed:
- A new audit log entry - anonymous access for Rest request.
- Changed how system user is assumed. Previously, system user was assumed on the receiving node when no user was associated with the request. Now the system user is assumed on the sending node, meaning, when a node sends a system originated request, initially this request won't be associated with a user. Shield now picks those requests up and attaches the system user to the role and then sends it together with the request. This has two advantages: 1) it's safer to assume system locally where the requests originate from. 2) this will prevent nodes without shield from connecting to nodes with shield. (currently, the attached users are signed using the system key for safety, though this behaviour may be disabled in the settings).
- System realm is now removed (no need for that as the system user itself is serialized/attached to the requests)
- Fixed some bugs in the tests
Closeselastic/elasticsearch#215
Original commit: elastic/x-pack-elasticsearch@3172f5d126
In order to run on different certs per port, we needed to adapt
the logic of starting up.
Also different profiles can now be applied to the N2NAuthenticator, so that
a different profile can allow/deny different hosts.
In addition minor refactorings have been done
* Group keystore/truststore settings instead of using underscores
* Change to transport profile settings instead of using specific shield ones
Documentation has been updated as well
Closeselastic/elasticsearch#290
Original commit: elastic/x-pack-elasticsearch@ad1ab974ea
There is a circular dependency in core 1.4.0 that cause plugins to fail depending on their constructors injection. We have ClusterService in InternalAuthorizationService that triggers this problem, solved for now replacing the dependency with a Provider. The original bug is already fixed in core: https://github.com/elasticsearch/elasticsearch/pull/8415 .
The problem manifested when enablieng a tribe node having shield installed on that node at the same time.
Closeselastic/elasticsearch#363
Original commit: elastic/x-pack-elasticsearch@ac339ef247
Our two transport impls depend on the SSLService at this point. Although we bind the SSLService only if ssl is enabled, it gets loaded anyway as it's a required dependency for the transports. We need to declare the dependency nullable and bind a null service manually when ssl is off.
Also resolved a couple of compiler warnings in SSLService and renamed some of its variables for better readability.
Closeselastic/elasticsearch#359
Original commit: elastic/x-pack-elasticsearch@2c99b2052e
As netty uses different bootstraps for sending/receiving requests, having a
single interface for filtering incoming/outgoing messages does not make a
lot of sense.
This commit changes from a TransportFilter interface to a InboundTransportFilter
interface, which is only able to filter incoming messages - which is all we do
anyway right now.
Original commit: elastic/x-pack-elasticsearch@545ff24136
Previously the userdel command always returned success regardless
of whether the user exists or not. When the user does not exist, a
message is now shown indicating that the user was not found.
Closeselastic/elasticsearch#346
Original commit: elastic/x-pack-elasticsearch@fb45d844ca
The rest tests were configured with transport and http settings for ssl. This
changes that to the shield.ssl settings.
Original commit: elastic/x-pack-elasticsearch@19b96f7fa3
There is no need to use TempraryFolder rules in our tests, since we depend on randomized runner which creates a globalTempDir() whose cleaning is already managed by the infra. Any other dir or file should be created under the global temp dir by specifying also its desired duration (SUITE or TEST).
Closeselastic/elasticsearch#337
Original commit: elastic/x-pack-elasticsearch@7456882d18
- The Permission class changed such that now there isn't a single `check` method that all permission types must implement. Instead, each permission type has its own (if at all) check method that is relevant to what the permssion is supposed to check.
- Moved the indices resolving logic outside of the indices permission class to the authorization service. Also, the authroization service has all the logic on how to check each one of the indices against a compound/merged permission view over all the user's roles. This fixes a critical bug where if a user had more than one role, its permission wouldn't be checked appropriately (they were checked separately which introduced invalid results)
- Cleaned up and got rid of unused code
- System role is no longer implementing Permission (no need for that)
- Additional tests were added with different users/roles configuration to try an capture such bugs
Fixeselastic/elasticsearch#304
Original commit: elastic/x-pack-elasticsearch@5c9a581019
This wraps logging statements in if checks. It also removes from the documentation specific logging examples.
Original commit: elastic/x-pack-elasticsearch@3ca7cdd4f4
This adds debugging statements and debugging documentation to help troubleshoot problems with ldap role establishment. This also adds ldap profiles for esvm
Original commit: elastic/x-pack-elasticsearch@a1f1cbd830
* Configuring the transport pipeline has changed due to adding profiles in 1.4
* Lots of tests needed to be changed in order to not leave thread pools around
* ApacheDs leaves a thread lingering around, thus a ThreadLeakFilter needed to be added
Original commit: elastic/x-pack-elasticsearch@de35362fc4
Also added a ShieldBuild class to return
* Shield version
* Shield build hash
* Shield build timestamp
Also added a '/_shield' endpoint which returns those fields.
Original commit: elastic/x-pack-elasticsearch@38928d1ef6
Now it logs the failure on debug and on trace it also logs the full stack trace. There's no point in logging it on info as a lot of the failures that will be logged are just fine (e.g. esusers will fail to authenticate and log the failure, but LDAP will succeed). This logging should only be applied for debugging purposes... for normal logging we have the audit logs
While at it, also cleaned up the Ldap realm code... change java.lang.SecurityException to shield's LdapException
Closeselastic/elasticsearch#281
Original commit: elastic/x-pack-elasticsearch@d5f0ad2efb
- Changed the behaviour of esusers realm so that whenever the `users` or the `users_roles` file are updated, the realm's cache expunges
- Changed LDAP realm such that when the `role_mapping.yml` file is updated, the realm's cache expunges
Also, cleaned up unused code (mainly around esusers and the different stores)
Original commit: elastic/x-pack-elasticsearch@3f093207da
Fixes a bug where the wrong exception and wrong error status code (500) were returned when the user sent the wrong username/password. This fixes this beahviour to return an `AuhthenticationException` with a 401 status code.
Fixeselastic/elasticsearch#271
Original commit: elastic/x-pack-elasticsearch@0a120caeae
jaymode
uboness
javanna
Paul Echeverri
Alexander Reelsen
c-a-m